14. What is the primary mechanism for controlling the configuration of client

computers in Windows? 15. Can more than one group policy be applied to a single machine? 16. Does share security work on FAT file system shares? Answers 1. Mandatory user logon is the foundation of security in Windows.

2. The local computer accounts are stored in the registry.

3. Security Identifiers SIDs represent user accounts.

4. The WinLogon process manages the login process.

5. Kerberos is used to authenticate user accounts in Windows 2000 domains.

6. The user’s identity is passed to running programs by the inheritance of the access token

from the launching program.

7. The LSA compares your access token to the object’s security descriptor Access Control

List in order to determine whether or not you should have access.

8. An object’s owner has the right to change the object’s permissions irrespective of a user’s

permissions to the object. 9. The System Access Control List is used too audit various types of access to an object. 10. Rights affect many or all objects, whereas permissions are specific to each object.

11. Inheritance refers to objects receiving of a copy of the containing folder’s ACL when they

are created.

12. User accounts are stored in the Active Directory.

13. Yes. In Kerberos, trusts transit domain relationships. 14. Group policy is the primary mechanism for controlling the configuration of client computers in Windows.

15. Yes. Early policy changes are overwritten by later policy changes when multiple policies

are applied.

16. Yes. Share security works on FAT file system shares.

Terms to Know • Access Control Entry ACE • access token • Active Directory • computer accounts • computer policy • deny ACE • Directory Services Agent DSA • Discretionary Access Control List DACL • domain • group policy • inherit • Kerberos • Key Distribution Center KDC • Local Security Authority LSA • Locally Unique Identifier LUID • logon prompt • No Access permission • New Technology File System NTFS • New Technology LAN Manager NTLM • objects • owner • parent • permission • process • registry • Security Accounts Manager SAM • Security Descriptor • Security Group • Security Identifier SID • security principle • shares • System Access Control List SACL • Ticket • user account • user policy • user rights • Windows Explorer

Chapter 11: Securing Unix Servers

The security mechanisms available in standard UNIX that being ATT System V version 4, which essentially match those of BSD, are significantly simpler than those in Windows. Unix was originally developed as a “security simplified” alternative to Multics—as such, security is mostly an afterthought designed more to prevent accidental harm by legitimate users than to keep hackers at bay. Microsoft specifically designed the NT kernel to allow for much more expressive configuration of security than Unix in order to out-compete it. But complexity doesn’t equal security—in fact, in most situations, complexity is anathema to security. And, the default configuration of Windows after an installation bypasses most of Windows’ sophisticated security mechanisms anyway, whereas Unix security is usually considerably stricter than Windows security out-of-the-box. In practice, Unix security can be configured similarly to Windows despite its inherent simplicity. A Brief History of Unix To understand Unix security, it’s important to understand why Unix was developed and how it evolved. In the mid 1960’s, GE, MIT, and ATT Bell Labs began development of an operating system that was supposed to become the standard operating system for the U.S. government. This system was called Multics, and its primary purpose was to support multiple users, multiple running programs, and multiple security levels simultaneously. Multics